Victory: Verizon Will Stop Tagging Customers for Tracking Without Consent

Today, Verizon reached an agreement with the
FCC to acquire affirmative consent
before injecting their UIDH tracking header into their customers' web activity on non-Verizon owned sites. This
is exactly what we asked them to
do in November 2014, and
is a huge win for Internet privacy. ISPs are trusted carriers of our
communications. They should be supporting individuals' privacy rights, not
undermining them.

Verizon started their tracking header program in 2012, but did not describe the
program in its privacy policy at that time. In 2014, EFF
analyzed the header and
warned that it acted as an undeletable supercookie, bypassing typical steps
people take to protect their Internet privacy, like deleting cookies or
using browser extensions that block unwanted tracking.

After EFF publicized the details about the UIDH headers, and several news
organizations picked up the story, we started to receive reports that AT&T was
testing a similar tracking header, on a much smaller scale. AT&T did the right
thing and halted the
program
in response to customer outrage.

In January 2015, Jonathan Mayer (who joined the FCC in November as Chief Technologist) published a
study revealing
that an advertising network named Turn was using the UIDH header to do exactly
what Verizon claimed was impossible: Resurrecting deleted tracking cookies by
using UIDH. This was particularly egregious because Turn was actually a Verizon
advertising partner.

Following that news, in March 2015, Verizon finally announced their intent to
implement opt-out from UIDH tracking. We stood firm on our opinion: this was a
half measure that did not take into account the invasiveness of modifying
customer traffic for non-routing purposes.

Today's news sets a new standard: ISP tracking is a great risk to individual
privacy, and requires a correspondingly high standard of consent.

What's next

This agreement covers one specific form of tracking. There are other ways ISPs
can implement the same tracking that would be much harder to detect. They
can send tracking data only to selected web sites, hindering detection by third
parties. ISPs can (and some very likely do) hide tracking data in a lower protocol layer, like TCP or IP,
setting fields that are normally random based on an agreed-upon code. Or they
could log all user browsing activity themselves and share it upon request.
Detecting these more pernicious methods will require ongoing skilled technical
work by the FCC and other watchdog organizations. Some of these methods may not
be detectable technically, but will require ongoing monitoring of ISP business
practices. We recommend the FCC continue in-depth investigations in this important area.

Tracking header injection isn't the only harmful way in which ISPs modify
customer traffic. Increasingly ISPs are using the same techniques to inject
advertisements or customer notices. This type of modification is both invasive
and a risk to security: it is indistinguishable technically from a
man-in-the-middle attack. We hope the FCC will make it clear to ISPs that this
is not appropriate.

The FCC agreement with Verizon is an important step forward for Internet privacy
within the US. However, traffic injection techniques have also been used
outside the US. Other national regulatory
agencies should take note of Verizon's opt-in requirement, and impose similar
requirements on any local ISPs using traffic injection.

All told, this is a great victory for everyone who uses the Internet, and we
congratulate the FCC on reaching this agreement.

Related Updates

A bill introduced in Texas threatens the free speech rights of 28 million residents by making it easier to bring frivolous lawsuits against speakers and to harass or intimidate them into silence. EFF has long been concerned about these types of lawsuits, called Strategic Lawsuits Against Public Participation, or SLAPPs...

The Texas Supreme Court upheld protections for anonymous online speakers in a January ruling, albeit in a way that sidestepped thorny legal questions but will likely have the effect of vindicating First Amendment rights going forward. The case, Glassdoor, Inc. v. Andra Group, concerned an effort by clothing...

A lawsuit filed in New York federal court last week against the creator of the “Shitty Media Men” list and its anonymous contributors exemplifies how individuals often misuse the court system to unmask anonymous speakers and chill their speech. That’s why we’re watching this case closely, and we’re prepared...

Facebook has a problem: an infestation of undercover cops. Despite the social platform’s explicit rules that the use of fake profiles by anyone—police included—is a violation of terms of service, the issue proliferates. While the scope is difficult to measure, EFF has identified scores of agencies who maintain policies that...

The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources. The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee...

People in marginalized communities who are targets of persecution and violence—from the Rohingya in Burma to Native Americans in North Dakota—are using social media to tell their stories, but finding that their voices are being silenced online. This is the tragic and unjust consequence of content moderation policies...

Update (February 15, 2018): The California Supreme Court denied Yelp's request to depublish the lower court's opinion.
In recent months, we’ve seen worrying decisions in state and federal courts that weaken the First Amendment protection for anonymous speech. Last week, EFF called on the California Supreme Court...

Requiring public universities to ban access to anonymous online speech platforms would undermine activism occurring on those campuses and violate the First Amendment, EFF argued in a brief filed on Thursday.
Plaintiffs in the case, Feminist Majority Foundation et al. v. University of Mary Washington, claim that university officials...

Update: In August 2018, the district court hearing the case ruled that Doe could maintain his anonymity, finding that the likely harm that would result from identifying Doe outweighed the public's interest in learning his identity. You can read the decision here. Anonymous online speakers may be able to...

As Congress and the Federal Elections Commission explore ways to counter foreign influence in U.S. elections through greater campaign finance disclosures, EFF has filed comments reminding policy makers of the danger of going too far. While the FEC’s goals are understandable, it must take care not to undermine...